Note: This post will refer and link to allegedly classified programs leaked by Edward Snowden, and potentially others, in the past several years. If accessing this article from certain networks, readers are strongly advised to preview links before following them due to the possibility that such an action may be considered a spillage of classified information. As always, Think When you Click.©
I recently noted an aspect of Internet (in)security that has bothered me for many years now: how the very mechanism through which traffic routes its way through the Internet (Border Gateway Protocol, or BGP) also presents a significant and actively-exploited weakness. BGP “Hijacking” is basically rerouting Internet traffic through faulty advertising or ownership announcements of autonomous systems (AS, essentially, collections of routers controlling traffic to certain IP address ranges). An example of what this “looks like” can be found in the figure below from BGPMon’s BGPStream. While on its face somewhat innocuous or annoying (traffic just moves through different nodes, potentially resulting in connections failing), such actions can be leveraged for very interesting purposes.
First and foremost is the opportunity to shape or otherwise manipulate traffic so that it passes through controlled infrastructure. In this fashion, an attacker can leverage BGP Hijacking to ensure traffic for services or addresses of interest flow through its own controlled infrastructure before moving on to the legitimate network. Once successfully completed, an adversary can collect, monitor, or potentially even modify traffic as it flows through attacker-controlled devices with very little scope for defenders doing much about matters once they are in motion.
Inadvertent examples of BGP Hijacking go back as far as 1997, through misconfigurations or administrative errors. But since at least 2010, multiple incidents – some linked to China, others to Russian interests, and yet more to Iran – have occurred where such rerouting through suspicious BGP advertisement seems deliberate and potentially targeted, given focus on services such as Google, Amazon, and secure messaging platforms such as Telegram. While seemingly salacious and provocative on its face, the actual utility of such traffic shaping can be called into question. With the increasing use of encryption across all manner of Internet traffic, the ability to do anything with redirected traffic (aside from possibly disruption) would seem rather limited. Yet looking at previous alleged activity, current developments, and revived government interests in matters of encryption reveal interesting possibilities.
To begin with a digression, one of the more interesting (in this author’s opinion) observations from the Snowden Leaks was disclosure of an alleged program for conducting man-on-the-side and man-in-the-middle traffic injection. In some quarters, this program (possibly referred to as “QUANTUM” or in specific instantiations “QUANTUM INSERT”) was called a tool to weaponize (or even ‘take down’) the entire Internet. The alleged tool functionality focused on paired capabilities: first, the ability to monitor traffic to popular services or applications (e.g., Facebook, or potentially any HTTP traffic to or from an IP of interest), married to the capability for injecting or inserting traffic into monitored communications when identifying a traffic stream of interest. In this fashion, exploit code or other capabilities could be injected into network traffic without ever having to worry about user interaction, host-based vulnerability (beyond the executing browser), or other initial access concerns. Such a capability allows for nearly silent exploitation with defense resting largely in browsers following successful traffic injection. While not invincible, such a capability (once stood up) is relatively cheap and easy to deploy while also being nearly impossible to accurately trace.
So what does the above have to do with BGP hijacking activity? Well, more traditional mechanisms to gain midpoint or related access to communication traffic (like undersea cable taps or router exploitation) require either physical access with significant investment in capabilities like special purpose submarines, or highly capable network exploitation and network device modification activity. In contrast, BGP rerouting is a technically simple (and significantly cheaper) attack mechanism to achieve traffic shaping toward collecting (or injecting) infrastructure over which the attacker has complete and direct control over. Once enacted, all that is required is some system serving as a midpoint for the now rerouted traffic that has both visibility into said traffic and the ability to inject into that traffic to achieve a successful attack package. Certain items such as tasking and targeting fidelity might prove troublesome, but in more permissive targeting environments (or for regimes with few if any legal scruples) such items can be waved away as overhead or acceptable collateral damage.
Some applications of this might be so obvious as to invite clear reproach and potential repercussions – such as rerouting all of Twitter traffic through PRC-managed infrastructure for two hours. This is where matters get especially interesting given particular country network configurations. Most of this audience is likely already familiar with the PRC-deployed Great Firewall, and somewhat fewer may be aware of Russia’s attempts to deploy similar technology. Less well-known and not as frequently discussed are how these capabilities are often leveraged for active operations. For example, while there has been previous writing on the PRC “Great Cannon” DDoS capability, the Great Firewall has already likely shown its value as an active, attack-enabling mechanism through traffic manipulation and injection. While much speculation on BGP hijacking focuses on intelligence collection (even for things such as encrypted network traffic, which might be analyzed some years in the future with the discovery of quantum computers or similar MacGuffins), the real possibility has been staring us in the face since at least 2013 – how BGP traffic shaping can be leveraged to enable widespread, difficult-to-detect or -defend intrusions.
Going back to the QUANTUM discussion, a BGP hijack essentially removes the most expensive aspect of traffic shaping and monitoring by directing traffic of interest through attacker-controlled infrastructure. Once this step is complete, all an attacker needs is the ability to monitor, analyze, and then inject into traffic – items which, since traffic is passing through attacker-controlled devices, are difficult in terms of timing but far from impossible. Thus, an attack model supposedly planned to carefully merge public-facing monitoring with classified network targeting to achieve man-on-the-side injection capability is reduced to capability residing on single devices to perform a much easier man-in-the-middle attack on traffic.
Yet, the evolution of network communications since the alleged NSA program was developed (based on Snowden leaks) – plus any copycat implementations – means we are now dealing with a significantly different landscape than the early 2010s. Encryption of network traffic is now, for nearly all major, legitimate services, a default setting. HTTPS and similar TLS wrapping rules the day for everything from web-based email to social media to checking sports scores. Given the requirement for visibility into traffic streams for both targeting and subsequent injection purposes, encryption would seem to be a dealbreaker for any sort of application of QUANTUM-like technology, whether residing on an undersea cable tap or a state ISP-owned router with “extra” government-mandated capabilities.
But at the same time, while default encryption has ruled the conversation commercially for years, within government circles (not just in authoritarian regimes such as PRC or Russia, but in the US and UK among others as well) there are increasing calls to “roll back” communication security or introduce “backdoors” available to law enforcement (or other authorities). Often, such calls are made in a pearl-clutching “but what of the children” argument revolving around child pornography or terrorism – obviously awful things, but items which have also existed (and flourished) long before the Internet existed, and will do so long after it goes away.
Irrespective of the civil liberties and general security concerns of degrading encryption schemes, introducing government-managed, vendor-added encryption “backdoors” or “skeleton keys” also revives traffic manipulation and injection possibilities. While most discussion has focused on child pornography and exploitation – law enforcement matters – the lack of sufficient separation between law enforcement and national security or intelligence entities in some polities, and the inclusion of terrorism as another justificaiton which directly draws in intelligence agencies, mean decryption mechanisms are likely to be readily and legally available to entities capable and desiring to use them for man-in-the-middle operations. This may even extend to attempting to exploit (e.g., adding beacons) traffic from identified child pornography resources to geolocate or otherwise identify forum users and criminals, bringing law enforcement entities into the same active attack space as traditional intelligence agencies.
Nonetheless, the encryption “debate” may effectively revive a capability thought more or less dormant (at least until quantum computing arrives) for using traffic manipulation and midpoint access for active exploitation. Moreover, given the requirement for vendor implementation, such programs will create an incredibly high value target – potentially even more valuable than developer signing keys – for hostile intelligence agencies to capture for malicious purposes. For example, identifying a messenger application of interest, a cyber-capable intelligence agency can attempt to break in and steal relevant portions of the vendor’s unlocking sequence to then deploy on either physical infrastructure taps or use in conjunction with BGP hijacking to achieve midpoint collection and inject capability on traffic of interest. This could be used against targets ranging from terrorists to dissidents, aside from the drug runners and exploiters of children who justified the development of such a program in the first place.
For now, the best and surest way to defeat such mechanisms is through the default use of strong encryption mechanisms for all communication, especially any communication that flows outside of directly-managed networks. Although theoretically possible with technological leaps, even intelligence collection from strongly encrypted traffic is at best incredibly difficult aside from metadata, while actual manipulation and injection nearly impossible. Migrating away from stand-alone applications may also be necessary for entities depending on how debates on encryption backdoors play out – where third-party applications such as WhatsApp or Signal require some backdoor, an internally-managed chat instance using publicly-available and -tested encryption schema may be necessary. Unfortunately this is at best inconvenient and at worst introduce other types of risk, and depending on legal language and implementation may fall afoul of relevant laws. In any event, shifting debates on privacy and government access to secure communication channels, combined with the continued vulnerability of fundamental traffic direction mechanisms in Internet traffic, mean a capability that started out as quite frightening but became less relevant due to positive shifts in transport security may become all-to-relevant yet again in the near future.
